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DETAILED ACTION 

1. This action is in response to application 10/774,169 filed 4/11/07. Claims 1, 4- 
26, 28-35, 38-60, 62-69, 72-94, 96-108 represent method, apparatus, and computer 
readable medium for detecting and protecting against worm traffic on a network. 



Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1,4-11, 21-22, 25-26, 28-35, 38-45, 55-56, 59-60, 62-69, 72-79, 89-90, 
93-94, 96-103, 105 & 107 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Lyle, Patent No. 6,886,102 B1 in view of Smithson, Patent No. 6,886,099 B1. 

Lyle teaches the invention as claimed including system and method for protecting 
a computer network against denial of service attacks (see abstract). 

4. As to claim 1 , Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic that is directed to the addresses in the 
subset (col 5, lines 12-17; Lyle discloses that the method of monitoring the network 
connection to send and receive information via the network and other computers); 
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determining respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the method of determined the baseline incident rate and the variance used for all 
networks); 

detecting a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the group, wherein the 
deviation is indicative that at least a portion of the communication traffic is of potentially 
malicious origin (col 1 0, lines 28-34; Lyle discloses that the method of detecting the 
network traffic for the suspicious high volume of network traffic and particular portion of 
the attacked). 

But Lyle failed to teach the claim limitation wherein Identifying a subset of the 
group of the addresses such that the addresses in the subset are expected to receive 
smaller amounts of the communication traffic than other addresses in the group; 
responsively to detecting the deviation, filtering the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Smithson teaches computer virus detection (see abstract). Smithson 
teaches the limitation wherein Identifying a subset of the group of the addresses such 
that the addresses in the subset are expected to receive smaller amounts of the 
communication traffic than other addresses in the group (figure 2; col 4, lines 5-25; col 
5, lines 7-23); responsively to detecting the deviation, filtering the communication traffic 
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that is directed to all of the addresses in the group so as to remove at least some of the 
communication traffic that is of the malicious origin (figure 23; col 6, lines 34-45). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

5. As to claim 4, Lyle and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of communication protocols used in 
generating the communication traffic (col 10, lines 19-28; Lyle discloses that the method 
of tracking the communication traffic using the sniffer module). 

6. As to claim 5, Lyle and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of ports to which the communication 
traffic is directed (col 14, lines 38-42; Lyle discloses that the method of tracking the 
source of the attack to determined the point of the attack at which the attack is entering 
the network or sub-network). 

7. As to claim 6, Lyle and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the method of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 
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8. As to claim 7, Lyle and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics comprise a distribution of sizes of data packets sent to the 
addresses in the group (col 10, lines 44-53; Lyle discloses that the method of detecting 
the particular port for receiving an usually high number of data packets of any type, the 
sniffer module would identified as the possible attack). 

9. As to claim 8, Lyle and Smithson teach the method as recited in claim 1 , wherein 
the baseline characteristics are indicative of a distribution of operating systems running 
on computers that have transmitted the communication traffic (col 21, lines 32-49; Lyle 
discloses that the method of determined the system of receiving and sending packets). 

10. As to claim 9, Lyle and Smithson teach the method as recited in claim 8, wherein 
detecting the deviation comprises reading a Time-To-Live (TTL) field in Internet Protocol 
headers of data packets sent to the addresses in the group, and detecting a change in 
values of the TTL field relative to the baseline characteristics (col 1 1 , lines 26-38). 

11. As to claim 10, Lyle and Smithson teach the method as recited in claim 1 , 
wherein detecting the deviation comprises detecting events that are indicative of a 
failure in communication between a first computer at one of the addresses in the group 
and a second computer at another location in the network (col 6, lines 61 - col 7, lines 
15; Lyle discloses that the method of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

12. As to claim 1 1 , Lyle and Smithson teach the method as recited in claim 1 0, 
wherein detecting the events comprises detecting failures to establish a Transmission 
Control Protocol (TCP) connection (col 22, lines 25-43). 
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1 3. As to claim 21 , Lyle and Smithson teach the method as recited in claim 1 , 
wherein detecting the deviation comprises detecting a type of the communication traffic 
that appears to be of the malicious origin, and wherein monitoring the communication 
traffic comprises collecting specific information relating to the traffic of the detected type 
(col 4, lines 55-68; Lyle discloses that the method of monitoring the security of the 
computer network such as suspicious, malicious or virus packets). 

14. As to claim 22, Lyle and Smithson teach the method as recited in claim 21 , 
wherein collecting the specific information comprises determining one or more source 
addresses of the traffic of the detected type (col 1 0, lines 38-43; Lyle discloses that the 
method of listing the list of suspicious source addresses). 

15. As to claim 25, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; Lyle discloses that 
the method of monitoring the communication traffic of the network for sending and 
receiving packets); 

tracing a route of the traffic from the selected node back to the at least one of the 
addresses so as to identify a location of the computer on which the malicious program is 
running (col 6, lines 15-23; Lyle discloses that the method of tracking system of the 
protected area for the network elements). 

But Lyle failed to teach the claim limitation wherein detecting a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
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program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Smithson teaches the limitation wherein detecting a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses (figure 2; col 4, lines 5-25; col 5, lines 6-23). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

16. As to claim 26, Lyle and Smithson teach the method as recited in claim 25, 
wherein tracing the route comprises identifying a port of a switch on the network to 
which the computer is connected, and comprising disabling the identified port (col 16, 
lines 54 - col 1 7, lines 1 3; Lyle discloses that the method of tracking the port at which 
the attack was detected to identified the port at which the node through which packets 
or message associated with the attack entering that node). 

17. As to claim 28, Lyle and Smithson teach the method as recited in claim 25, 
wherein detecting the pattern comprises detecting a large number of packets 
transmitted by the computer to a specified port (col 12, lines 63 - col 13, lines 8; Lyle 
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discloses that the method of detecting when the massive numbers of copies of a 
suspicious but relatively innocuous message in the hope of overloading the security 
system). 

18. As to claim 29, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect packets that 
are indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; Lyle discloses that the method of monitoring the network 
traffic for the suspicious in the sense that it indicates that an attack may be taking 
place); 

detecting an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 1 0, lines 60 - col 1 1 , lines 1 ; Lyle discloses that the method 
of determined if the rate of certain types of messages exceeds a normal level). 

But Lyle failed to teach the claim limitation wherein responsively to the increase, 
filtering the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the increase, 
filtering the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection (figure 23; col 6, lines 34- 
43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
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determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

19. As to claim 30, Lyle and Smithson teach the method as recited in claim 29, 
wherein monitoring the communication traffic comprises detecting Internet Control 
Message Protocol (ICMP) unreachable packets (col 9, lines 7-37). 

20. As to claim 31 , Lyle and Smithson teach the method as recited in claim 29, 
wherein monitoring the communication traffic comprises detecting failures to establish a 
Transmission Control Protocol (TCP) connection (col 22, lines 25-43). 

21 . As to claim 32, Lyle teaches a method for processing communication traffic, 
comprising: 

monitoring the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; Lyle discloses that the method of scanning the network for 
the suspicious data within the tracking system); 

making a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyle discloses that the method of determined the alert module for the potential 
attack. 

But Lyle failed to teach the claim limitation wherein responsively to the 
determination, filtering the communication traffic so as to remove at least the portion of 
the communication traffic that is generated by the worm infection. 
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However, Smithson teaches the limitation wherein responsively to the 
determination, filtering the communication traffic so as to remove at least the portion of 
the communication traffic that is generated by the worm infection (figure 23; col 6, lines 
34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

22. As to claim 33, Lyle and Smithson teach the method as recited in claim 32, 
wherein the packets comprise a header specifying a communication protocol, and 
wherein monitoring the communication traffic comprises determining that the packets 
contain data that are incompatible with the specified communication protocol (col 1 1 , 
lines 61 - col 12, lines 19; Lyle discloses that the method of determined the 
incompatible packet by measure the numerical order of the packet). 

23. As to claim 34, Lyle and Smithson teach the method as recited in claim 32, 
wherein the packets comprise a header specifying a packet length, and wherein 
monitoring the communication traffic comprises determining that the packets contain an 
amount of data that is incompatible with the specified packet length (col 18, lines 48-59; 
Lyle discloses that the method of suspicious packet by its bits). 

24. As to claim 35, Lyle teaches an apparatus comprising a guard device, which is 
adapted to 
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monitor the communication traffic that is directed to a group of addresses in the 
subset (col 5, lines 12-17; Lyle discloses that the apparatus of monitoring the network 
connection to send and receive information via the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the apparatus of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset, wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
potentially malicious origin (col 10, lines 28-34; Lyle discloses that the apparatus of 
detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked). 

But Lyle failed to teach the claim limitation wherein identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group; 
responsively to detecting the deviation, to filter the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Smithson teaches the limitation wherein identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group 
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(figure 2; col 4, lines 5-25; col 5, lines 6-23); responsively to detecting the deviation, to 
filter the communication traffic that is directed to all of the addresses in the group so as 
to remove at least some of the communication traffic that is of the malicious origin 
(figure 23; col 6, lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

25. As to claim 38, Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of communication protocols 
used in generating the communication traffic (col 10, lines 19-28; Lyle discloses that the 
apparatus of tracking the communication traffic using the sniffer module). 

26. As to claim 39, Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of ports to which the 
communication traffic is directed (col 14, lines 38-42; Lyle discloses that the apparatus 
of tracking the source of the attack to determined the point of the attack at which the 
attack is entering the network or sub-network). 

27. As to claim 40, Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the apparatus of 
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characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

28. As to claim 41 , Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics comprise a distribution of sizes of data packets 
sent to the addresses in the group (col 10, lines 44-53; Lyle discloses that the apparatus 
of detecting the particular port for receiving an usually high number of data packets of 
any type, the sniffer module would identified as the possible attack). 

29. As to claim 42, Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the baseline characteristics are indicative of a distribution of operating systems 
running on computers that have transmitted the communication traffic (col 21, lines 32- 
49; Lyle discloses that the apparatus of determined the system of receiving and sending 
packets). 

30. As to claim 43, Lyle and Smithson teach the apparatus as recited in claim 42, 
wherein the guard device is adapted to read a Time-To-Live (TTL) field in Internet 
Protocol headers of data packets sent to the addresses in the group, and to detect a 
change in values of the TTL field relative to the baseline characteristics due to the 
distribution of the operating systems (col 11, lines 26-38). 

31 . As to claim 44, Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the guard device is adapted to detect events that are indicative of a failure in 
communication between a first computer at one of the addresses in the group and a 
second computer at another location in the network (col 6, lines 61 - col 7, lines 15; 
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Lyle discloses that the apparatus of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

32. As to claim 45, Lyle and Smithson teach the apparatus as recited in claim 44, 
wherein the events comprise failures to establish a Transmission Control Protocol 
(TCP) connection (col 22, lines 25-43). 

33. As to claim 55, Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the guard device is adapted to detect a type of the communication traffic that 
appears to be of the malicious origin, and to monitor the communication traffic so as to 
collect specific information relating to the traffic of the detected type (col 4, lines 55-68; 
Lyle discloses that the apparatus of monitoring the security of the computer network 
such as suspicious, malicious or virus packets). 

34. As to claim 56, Lyle and Smithson teach the apparatus as recited in claim 55, 
wherein the specific information comprises one or more source addresses of the traffic 
of the detected type (col 10, lines 38-43; Lyle discloses that the apparatus of listing the 
list of suspicious source addresses). 

35. As to claim 59, Lyle teaches an apparatus comprising: 

monitor the communication traffic originating from a group of addresses and 
passing through a selected node on a network (col 12, lines 44-53; Lyle discloses that 
the apparatus of monitoring the communication traffic of the network for sending and 
receiving packets), 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
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program is running (col 6, lines 15-23; Lyle discloses that the apparatus of tracking 
system of the protected area for the network elements). 

But Lyle failed to teach the claim limitation wherein to detect a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Smithson teaches the limitation wherein to detect a pattern in the traffic 
originating from at least one of the addresses that is indicative of a malicious program 
running on a computer at the at least one of the addresses by determining that the 
computer has transmitted packets to a large number of different destination addresses 
(figure 2; col 4, lines 5-25; col 5, lines 6-23). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
36. As to claim 60, Lyle and Smithson teach the apparatus as recited in claim 59, 
wherein the guard device is adapted to identify a port of a switch on the network to 
which the computer is connected, and to instruct the switch to disable the identified port 
(col 16, lines 54 - col 17, lines 13; Lyle discloses that the apparatus of tracking the port 
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at which the attack was detected to identified the port at which the node through which 
packets or message associated with the attack entering that node). 

37. As to claim 62, Lyle and Smithson teach the apparatus as recited in claim 59, 
wherein the guard device is adapted to detect the pattern by detecting a large number 
of packets transmitted by the computer to a specified port (col 12, lines 63 - col 13, 
lines 8; Lyle discloses that the apparatus of detecting when the massive numbers of 
copies of a suspicious but relatively innocuous message in the hope of overloading the 
security system). 

38. As to claim 63, Lyle teaches an apparatus comprising: 

monitor the communication traffic on a network so as to detect packets that are 
indicative of a communication failure in the network that is characteristic of a worm 
infection (col 10, lines 53-59; Lyle discloses that the apparatus of monitoring the 
network traffic for the suspicious in the sense that it indicates that an attack may be 
taking place), 

to detect an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 1 0, lines 60 - col 1 1 , lines 1 ; Lyle discloses that the 
apparatus of determined if the rate of certain types of messages exceeds a normal 
level), and 

But Lyle failed to teach the claim limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 
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However, Smithson teaches the limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection (figure 23; col 6, lines 34- 
43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

39. As to claim 64, Lyle and Smithson teach the apparatus as recited in claim 63, 
wherein the guard device is adapted to detect Internet Control Message Protocol 
(ICMP) unreachable packets as an indication of the communication failure (col 9, lines 
7-37). 

40. As to claim 65, Lyle and Smithson teach the apparatus as recited in claim 63, 
wherein the guard device is adapted to detect failures to establish a Transmission 
Control Protocol (TCP) connection (col 22, lines 25-43). 

41 . As to claim 66, Lyle teaches an apparatus comprising a guard device, which is 
adapted: 

to monitor the communication traffic on a network so as to detect ill-formed 
packets (col 7, lines 9-19; Lyle discloses that the apparatus of scanning the network for 
the suspicious data within the tracking system), 
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to make a determination, responsively to the ill-formed packets, that at least a 
portion of the communication traffic has been generated by a worm infection (col 8, lines 
26-39; Lyle discloses that the apparatus of determined the alert module for the potential 
attack). 

But Lyle failed to teach the claim limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection (figure 23; col 6, 
lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
42. As to claim 67, Lyle and Smithson teach the apparatus as recited in claim 66, 
wherein the packets comprise a header specifying a communication protocol, and 
wherein the guard device is adapted to detect that the packets contain data that are 
incompatible with the specified communication protocol (col 11, lines 61 - col 12, lines 
19; Lyle discloses that the apparatus of determined the incompatible packet by measure 
the numerical order of the packet). 
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43. As to claim 68, Lyle and Smithson teach the apparatus as recited in claim 66, 
wherein the packets comprise a header specifying a packet length, and wherein the 
guard device is adapted to detect that the packets contain an amount of data that is 
incompatible with the specified packet length (col 18, lines 48-59; Lyle discloses that the 
apparatus of suspicious packet by its bits). 

44. As to claim 69, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor communication 
traffic that is directed the addresses in the subset (col 5, lines 12-17; Lyle discloses that 
the product of monitoring the network connection to send and receive information via 
the network and other computers), 

to determine respective baseline characteristics of the communication traffic that 
is directed to each of the addresses in the subset (col 8, lines 14-20; Lyle discloses that 
the product of determined the baseline incident rate and the variance used for all 
networks), 

to detect a deviation from the respective baseline characteristics of the 
communication traffic directed to at least one of the addresses in the subset, wherein 
the deviation is indicative that at least a portion of the communication traffic is of 
potentially malicious origin (col 10, lines 28-34; Lyle discloses that the product of 
detecting the network traffic for the suspicious high volume of network traffic and 
particular portion of the attacked). 
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But Lyle failed to teach the claim limitation wherein to identify a selected subset 
of the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group, 
responsively to detecting the deviation, to filter the communication traffic that is directed 
to all of the addresses in the group so as to remove at least some of the communication 
traffic that is of the malicious origin. 

However, Smithson teaches the limitation wherein to identify a selected subset of 
the group of the addresses such that the addresses in the subset are expected to 
receive smaller amounts of the communication traffic than other addresses in the group 
(figure 2; col 4, lines 5-25; col 5, lines 6-23), responsively to detecting the deviation, to 
filter the communication traffic that is directed to all of the addresses in the group so as 
to remove at least some of the communication traffic that is of the malicious origin (col 
6, lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
45. As to claim 72, Lyle and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of communication protocols 
used in generating the communication traffic (col 10, lines 19-28; Lyle discloses that the 
product of tracking the communication traffic using the sniffer module). 
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46. As to claim 73, Lyle and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of ports to which the 
communication traffic is directed (col 14, lines 38-42; Lyle discloses that the product of 
tracking the source of the attack to determined the point of the attack at which the attack 
is entering the network or sub-network). 

47. As to claim 74, Lyle and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of source addresses of the 
communication traffic (col 14, lines 13-19; Lyle discloses that the product of 
characteristics of the incident, such as the source address, target address, and 
preceding characteristics). 

48. As to claim 75, Lyle and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics comprise a distribution of sizes of data packets 
sent to the addresses in the group (col 10, lines 44-53; Lyle discloses that the product of 
detecting the particular port for receiving an usually high number of data packets of any 
type, the sniffer module would identified as the possible attack). 

49. As to claim 76, Lyle and Smithson teach the product as recited in claim 69, 
wherein the baseline characteristics are indicative of a distribution of operating systems 
running on computers that have transmitted the communication traffic (col 21 , lines 32- 
49; Lyle discloses that the product of determined the system of receiving and sending 
packets). 

50. As to claim 77, Lyle and Smithson teach the product as recited in claim 76, 
wherein instructions cause the computer to read a Time-To-Live (TTL) field in Internet 
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Protocol headers of data packets sent to the addresses in the group, and to detect a 
change in values of the TTL field relative to the baseline characteristics due to the 
distribution of the operating systems (col 11, lines 26-38). 

51 . As to claim 78, Lyle and Smithson teach the product as recited in claim 69, 
wherein the instructions cause the computer to detect events that are indicative of a 
failure in communication between a first computer at one of the addresses in the group 
and a second computer at another location in the network (col 6, lines 61 - col 7, lines 
1 5 ; Lyle discloses that the product of tracking the location of the core routers and any 
associated network element and blocking the potential attack). 

52. As to claim 79, Lyle and Smithson teach the product as recited in claim 78, 
wherein the events comprise failures to establish a Transmission Control Protocol 
(TCP) connection (col 22, lines 25-43). 

53. As to claim 89, Lyle and Smithson teach the product as recited in claim 69, 
wherein the instructions cause the computer to detect a type of the communication 
traffic that appears to be of the malicious origin, and to monitor the communication 
traffic so as to collect specific information relating to the traffic of the detected type (col 
4, lines 55-68; Lyle discloses that the product of monitoring the security of the computer 
network such as suspicious, malicious or virus packets). 

54. As to claim 90, Lyle and Smithson teach the product as recited in claim 89, 
wherein the specific information comprises one or more source addresses of the traffic 
of the detected type (col 10, lines 38-43; Lyle discloses that the product of listing the list 
of suspicious source addresses). 
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55. As to claim 93, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic originating from a group of addresses and passing through a 
selected node on a network (col 12, lines 44-53; Lyle discloses that the product of 
monitoring the communication traffic of the network for sending and receiving packets), 

to trace a route of the traffic from the selected node back to the at least one of 
the addresses so as to identify a location of the computer on which the malicious 
program is running (col 6, lines 15-23; Lyle discloses that the product of tracking system 
of the protected area for the network elements). 

But Lyle failed to teach the claim limitation wherein to detect a pattern in the 
traffic originating from at least one of the addresses that is indicative of a malicious 
program running on a computer at the at least one of the addresses by determining that 
the computer has transmitted packets to a large number of different destination 
addresses. 

However, Smithson teaches the limitation wherein to detect a pattern in the traffic 
originating from at least one of the addresses that is indicative of a malicious program 
running on a computer at the at least one of the addresses by determining that the 
computer has transmitted packets to a large number of different destination addresses 
(figure 2; col 4, lines 5-25; col 5, lines 6-23). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
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determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

56. As to claim 94, Lyle and Smithson teach the product as recited in claim 93, 
wherein the instructions cause the computer to identify a port of a switch on the network 
to which the computer is connected, and to instruct the switch to disable the identified 
port (col 16, lines 54 - col 1 7, lines 1 3; Lyle discloses that the product of tracking the 
port at which the attack was detected to identified the port at which the node through 
which packets or message associated with the attack entering that node). 

57. As to claim 96, Lyle and Smithson teach the product as recited in claim 93, 
wherein the instructions cause the computer to detect the pattern by detecting a large 
number of packets transmitted by the computer to a specified port (col 12, lines 63 - col 
13, lines 8; Lyle discloses that the product of detecting when the massive numbers of 
copies of a suspicious but relatively innocuous message in the hope of overloading the 
security system). 

58. As to claim 97, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 
instructions, when read by a computer, cause the computer to monitor the 
communication traffic on a network so as to detect packets that are indicative of a 
communication failure in the network that is characteristic of a worm infection (col 10, 
lines 53-59; Lyle discloses that the product of monitoring the network traffic for the 
suspicious in the sense that it indicates that an attack may be taking place), 
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to detect an increase in a rate of arrival of the packets that are indicative of the 
communication failure (col 1 0, lines 60 - col 1 1 , lines 1 ; Lyle discloses that the product 
of determined if the rate of certain types of messages exceeds a normal level). 

But Lyle failed to teach the claim limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the increase, 
to filter the communication traffic so as to remove at least a portion of the 
communication traffic that is generated by the worm infection (figure 23; col 6, lines 34- 
43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 

59. As to claim 98, Lyle and Smithson teach the product as recited in claim 97, 
wherein the instructions cause the computer to detect Internet Control Message 
Protocol (ICMP) unreachable packets as an indication of the communication failure (col 
9, lines 7-37). 

60. As to claim 99, Lyle and Smithson teach the product as recited in claim 97, 
wherein the instructions cause the computer to detect failures to establish a 
Transmission Control Protocol (TCP) connection (col 22, lines 25-43). 
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61 . As to claim 100, Lyle teaches a computer software product, comprising: 

a computer-readable medium in which program instructions are stored, which 

instructions, when read by a computer, cause the computer to monitor the 

communication traffic on a network so as to detect ill-formed packets (col 7, lines 9-19; 

Lyle discloses that the product of scanning the network for the suspicious data within 

the tracking system), 

to make a determination, responsively to the ill-formed packets, that at least a 

portion of the communication traffic has been generated by a worm infection (col 8, lines 

26-39; Lyle discloses that the product of determined the alert module for the potential 

attack). 

But Lyle failed to teach the claim limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection. 

However, Smithson teaches the limitation wherein responsively to the 
determination, to filter the communication traffic so as to remove the at least the portion 
of the communication traffic that is generated by the worm infection (figure 23; col 6, 
lines 34-43). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Lyle in view of Smithson so that the system would be able 
determined whether the files, software or emails contain virus. One would be motivated 
to do so to identifying the virus by comparing the parameters against the predetermined 
threshold levels and blocking all the traffic that contain virus. 
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62. As to claim 101, Lyle and Smithson teach the product as recited in claim 100, 
wherein the packets comprise a header specifying a communication protocol, and 
wherein the instructions cause the computer to detect that the packets contain data that 
are incompatible with the specified communication protocol (col 1 1 , lines 61 - col 12, 
lines 19; Lyle discloses that the product of determined the incompatible packet by 
measure the numerical order of the packet). 

63. As to claim 102, Lyle and Smithson teach the product as recited in claim 100, 
wherein the packets comprise a header specifying a packet length, and wherein the 
instructions cause the computer to detect that the packets contain an amount of data 
that is incompatible with the specified packet length (col 18, lines 48-59; Lyle discloses 
that the product of suspicious packet by its bits). 

64. As to claim 103, Lyle and Smithson teach the method as recited in claim 1 , 
wherein identifying the subset comprising selecting clients for inclusion in the subset 
wile excluding servers (figure 1 ; Lyle teaches the method of including the users in the 
subset for the edge router). 

65. As to claim 105, Lyle and Smithson teach the apparatus as recited in claim 35, 
wherein the subset includes clients while excluding servers (figure 1 ; Lyle teaches the 
apparatus of including the users in the subset for the edge router). 

66. As to claim 107, Lyle and Smithson teach the product as recited in claim 69, 
wherein the subset includes clients while excluding servers (figure 1 ; Lyle teaches the 
product of including the users in the subset for the edge router). 



Application/Control Number: 10/774,169 Page 28 

Art Unit: 2155 

67. Claims 12-13, 46-47, and 80-81 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lyle, Patent No. 6,886,102 B1 in view of Smithson, Patent No. 
6,886,099 B1, and further in view of Porras, Patent No. 6,321,338 B1 . 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

68. As to claim 12, Lyle and Smithson teach the method as recited in claim 1 . But 
Lyle and Smithson failed to teach the claim limitation wherein receiving packets that are 
indicative of a communication failure in the network that is characteristic of a worm 
infection, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to receiving the packets. 

However, Porras teaches network surveillance (see abstract). Porras teaches 
the limitation wherein receiving packets that are indicative of a communication failure in 
the network that is characteristic of a worm infection, and wherein filtering the 
communication traffic comprises deciding to filter the communication traffic responsively 
to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 

69. As to claim 13, Lyle and Smithson teach the method as recited in claim 12. But 
Lyle and Smithson failed to teach the claim limitation wherein receiving the packets 
comprises receiving Internet Control Message Protocol (ICMP) unreachable packets. 
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However, Porras teaches the limitation wherein receiving the packets comprises 
receiving Internet Control Message Protocol (ICMP) unreachable packets (col 5, lines 4- 
29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Porras so that 
filtering out the ICMP packets, which reach the gateway. One would be motivated to do 
so to ensure the ill-formed packet will not travel into the network. 
70. As to claim 46, Lyle and Smithson teach the apparatus as recited in claim 35. 
But Lyle and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to receive packets that are indicative of a communication failure in the network 
that is characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets. 

However, Porras teaches the limitation wherein the guard device is adapted to 
receive packets that are indicative of a communication failure in the network that is 
characteristic of a worm infection, and to decide to filter the communication traffic 
responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 
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71 . As to claim 47, Lyle and Smithson teach the apparatus as recited in claim 46. 
But Lyle and Smithson failed to teach the claim limitation wherein the packets comprise 
Internet Control Message Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Porras so that 
filtering out the ICMP packets, which reach the gateway. One would be motivated to do 
so to ensure the ill-formed packet will not travel into the network. 

72. As to claim 80, Lyle and Smithson teach the product as recited in claim 69. But 
Lyle and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to receive packets that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and to decide to filter the 
communication traffic responsively to receiving the packets. 

However, Porras teaches the limitation wherein the instructions cause the 
computer to receive packets that are indicative of a communication failure in the 
network that is characteristic of a worm infection, and to decide to filter the 
communication traffic responsively to receiving the packets (col 9, lines 49-63). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Porras so that the 
engine could filter out the unwanted packets. One would be motivated to do so to 
prevent the potential attack and ensure the liability of the network. 
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73. As to claim 81 , Lyle and Smithson teach the product as recited in claim 80. But 
Lyle and Smithson failed to teach the claim limitation wherein the packets comprise 
Internet Control Message Protocol (ICMP) unreachable packets. 

However, Porras teaches the limitation wherein the packets comprise Internet 
Control Message Protocol (ICMP) unreachable packets (col 5, lines 4-29). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Porras so that 
filtering out the ICMP packets, which reach the gateway. One would be motivated to do 
so to ensure the ill-formed packet will not travel into the network. 



74. Claims 14-20, 23-24, 48-54, 57-58, 82-88, and 91-92 are rejected under 35 
U.S.C. 1 03(a) as being unpatentable over Lyle, Patent No. 6,886,1 02 B1 in view of 
Smithson, Patent No. 6,886,099 B1 , and further in view of Trcka, Patent No. 
2001/0039579 A1. 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attack (see abstract). 

75. As to claim 14, Lyle and Smithson teach the method as recited in claim 1 . But 
Lyle and Smithson failed to teach the claim limitation wherein monitoring the 
communication traffic comprises making a determination that one or more packets 
transmitted over the network are ill-formed, and wherein filtering the communication 
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traffic comprises deciding to filter the communication traffic responsively to the ill-formed 
packets. 

However, Trcka teaches network security and surveillance system (see abstract). 
Trcka teaches the limitation wherein monitoring the communication traffic comprises 
making a determination that one or more packets transmitted over the network are ill- 
formed, and wherein filtering the communication traffic comprises deciding to filter the 
communication traffic responsively to the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

76. As to claim 15, Lyle and Smithson teach the method as recited in claim 1 . But 
Lyle and Smithson failed to teach the claim limitation wherein detecting the deviation 
comprises incrementing a count of events that are indicative of the malicious origin of 
the communication traffic, and deciding whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
incrementing a count of events that are indicative of the malicious origin of the 
communication traffic, and deciding whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that the 
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system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

77. As to claim 16, Lyle and Smithson teach the method as recited in claim 15, 
wherein detecting the deviation comprises receiving data packets of potentially 
malicious origin, each data packet having a respective source address and destination 
address, and wherein incrementing the count comprises determining an amount by 
which to increment the count responsively to a given data packet depending upon 
whether among the data packets received previously, responsively to which the count 
was incremented, at least one data packet had the same respective source address and 
at least one data packet had the same respective destination address as the given data 
packet (col 7, lines 38-49; col 19, lines 51 - col 20, lines 23; Lyle discloses that the 
method of identified the messages related to a known or suspected attack or possibility 
that an attack is taking place). 

78. As to claim 17, Lyle and Smithson teach the method as recited in claim 16, 
wherein determining the amount by which to increment the count comprises 
incrementing the count only if none of the data packets received previously, 
responsively to which the count was incremented, had at least one of the same 
respective source address and the same respective destination address as the given 
data packet (col 15, lines 48 - col 16, lines 6; Lyle discloses that the method of tracking 
back to the point of attack at which the attack entered the network or sub-network). 

79. As to claim 18, Lyle and Smithson teach the method as recited in claim 1 . But 
Lyle and Smithson failed to teach the claim limitation wherein detecting the deviation 
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comprises detecting a type of the communication traffic that appears to be of the 
malicious origin, and wherein filtering the communication traffic comprises intercepting 
the communication traffic of the detected type. 

However, Trcka teaches the limitation wherein detecting the deviation comprises 
detecting a type of the communication traffic that appears to be of the malicious origin, 
and wherein filtering the communication traffic comprises intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that 
filtering the suspicious packet. One would be motivated to do so to ensure the safety of 
the network. 

80. As to claim 19, Lyle and Smithson teach the method as recited in claim 18, 
wherein detecting the type comprises determining at least one of a communication 
protocol and a port that is characteristic of the communication traffic (col 5, lines 34-44; 
Lyle discloses that the method of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

81 . As to claim 20, Lyle and Smithson teach the method as recited in claim 18, 
wherein detecting the type comprises determining one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and intercepting the 
communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
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Lyle discloses that the method of tracking the source of an attack to determine the point 
of attack at which it is entering the network or sub-network). 

82. As to claim 23, Lyle and Smithson teach the method as recited in claim 1 . But 
Lyle and Smithson failed to teach the claim limitation wherein monitoring and filtering 
the communication traffic comprise monitoring and filtering the communication traffic 
that is transmitted into a protected area of the network containing the group of the 
addresses so as to exclude the communication traffic from the area. 

However, Trcka teaches the limitation wherein monitoring and filtering the 
communication traffic comprise monitoring and filtering the communication traffic that is 
transmitted into a protected area of the network containing the group of the addresses 
so as to exclude the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that 
filtering the suspicious packet, which tries to enter through the protected area. One 
would be motivated to do so to improve the network security. 

83. As to claim 24, Lyle and Smithson teach the method as recited in claim 23, and 
comprising monitoring the communication traffic that is transmitted by computers in the 
protected area so as to detect an infection of one or more of the computers by a 
malicious program (col 10, lines 35-38; Lyle discloses that the method of tracking the 
system interconnect across the network, such as a private network which is a protected 
area). 
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84. As to claim 48, Lyle and Smithson teach the apparatus as recited in claim 35. 
But Lyle and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to make a determination that one or more packets transmitted over the network 
are ill-formed, and to decide to filter the communication traffic responsively to the ill- 
formed packets. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
make a determination that one or more packets transmitted over the network are ill- 
formed, and to decide to filter the communication traffic responsively to the ill-formed 
packets (page 4, paragraph 41 ). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

85. As to claim 49, Lyle and Smithson teach the apparatus as recited in claim 35. 
But Lyle and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that the 
system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

86. As to claim 50, Lyle and Smithson teach the apparatus as recited in claim 49, 
wherein the guard device is coupled to receive data packets of potentially malicious 
origin, each data packet having a respective source address and destination address, 
and is adapted to determine an amount by which to increment the count responsively to 
a given data packet depending upon whether among the data packets received 
previously, responsively to which the count was incremented, at least one data packet 
had the same respective source address and at least one data packet had the same 
respective destination address as the given data packet (col 7, lines 38-49; col 19, lines 
51 - col 20, lines 23; Lyle discloses that the apparatus of identified the messages 
related to a known or suspected attack or possibility that an attack is taking place). 

87. As to claim 51 , Lyle and Smithson teach the apparatus as recited in claim 40, 
wherein the guard device is adapted to increment the count only if none of the data 
packets received previously, responsively to which the count was incremented, had at 
least one of the same respective source address and the same respective destination 
address as the given data packet (col 15, lines 48 - col 16, lines 6; Lyle discloses that 
the apparatus of tracking back to the point of attack at which the attack entered the 
network or sub-network). 
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88. As to claim 52, Lyle and Smithson teach the apparatus as recited in claim 35. 
But Lyle and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to detect a type of the communication traffic that appears to be of the malicious 
origin, and to filter the communication traffic by intercepting the communication traffic of 
the detected type. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
detect a type of the communication traffic that appears to be of the malicious origin, and 
to filter the communication traffic by intercepting the communication traffic of the 
detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that 
filtering the suspicious packet. One would be motivated to do so to ensure the safety of 
the network. 

89. As to claim 53, Lyle and Smithson teach the apparatus as recited in claim 52, 
wherein the type of the communication traffic that appears to be of the malicious origin 
is characterized by at least one of a communication protocol and a port (col 5, lines 34- 
44; Lyle discloses that the apparatus of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

90. As to claim 54, Lyle and Smithson teach the apparatus as recited in claim 52, 
wherein the guard device is adapted to determine one or more source addresses of the 
communication traffic that appears to be of the malicious origin, and to intercept the 
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communication traffic sent from the one or more source addresses (col 16, lines 44-49; 
Lyle discloses that the apparatus of tracking the source of an attack to determine the 
point of attack at which it is entering the network or sub-network). 

91 . As to claim 57, Lyle and Smithson teach the apparatus as recited in claim 35. 
But Lyle and Smithson failed to teach the claim limitation wherein the guard device is 
adapted to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area. 

However, Trcka teaches the limitation wherein the guard device is adapted to 
monitor and filter the communication traffic that is transmitted into a protected area of 
the network containing the group of the addresses so as to exclude the communication 
traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that 
filtering the suspicious packet, which tries to enter through the protected area. One 
would be motivated to do so to improve the network security. 

92. As to claim 58, Lyle and Smithson teach the apparatus as recited in claim 57, 
wherein the guard device is adapted to monitor the communication traffic that is 
transmitted by computers in the protected area so as to detect an infection of one or 
more of the computers by a malicious program (col 10, lines 35-38; Lyle discloses that 
the apparatus of tracking the system interconnect across the network, such as a private 
network which is a protected area). 
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93. As to claim 82, Lyle and Smithson teach the product as recited in claim 69. But 
Lyle and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to make a determination that one or more packets transmitted over the 
network are ill-formed, and to decide to filter the communication traffic responsively to 
the ill-formed packets. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to make a determination that one or more packets transmitted over the 
network are ill-formed, and to decide to filter the communication traffic responsively to 
the ill-formed packets (page 4, paragraph 41). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that the 
system would filter out the malicious packet. One would be motivated to do so to 
ensure the safety of the network form the virus and hacker. 

94. As to claim 83, Lyle and Smithson teach the product as recited in claim 69. But 
Lyle and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to increment a count of events that are indicative of the malicious origin of the 
communication traffic, and to decide whether to filter the communication traffic 
responsively to the count (page 7, paragraph 79; page 8, paragraph 80). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that the 
system could enabling/disabling packet filtering. One would be motivated to do so to 
records the data-link level traffic without interfering with the normal flow of traffic. 

95. As to claim 84, Lyle and Smithson teach the product as recited in claim 83, 
wherein when the computer is coupled to receive data packets of potentially malicious 
origin, each data packet having a respective source address and destination address, 
the instructions cause the computer to determine an amount by which to increment the 
count responsively to a given data packet depending upon whether among the data 
packets received previously, responsively to which the count was incremented, at least 
one data packet had the same respective source address and at least one data packet 
had the same respective destination address as the given data packet (col 7, lines 38- 
49; col 19, lines 51 - col 20, lines 23; Lyle discloses that the product of identified the 
messages related to a known or suspected attack or possibility that an attack is taking 
place). 

96. As to claim 85, Lyle and Smithson teach the product as recited in claim 84, 
wherein the instructions cause the computer to increment the count only if none of the 
data packets received previously, responsively to which the count was incremented, 
had at least one of the same respective source address and the same respective 
destination address as the given data packet (col 15, lines 48 - col 16, lines 6; Lyle 
discloses that the product of tracking back to the point of attack at which the attack 
entered the network or sub-network). 
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97. As to claim 86, Lyle and Smithson teach the product as recited in claim 69. But 
Lyle and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to detect a type of the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic by intercepting the 
communication traffic of the detected type. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to detect a type of the communication traffic that appears to be of the 
malicious origin, and to filter the communication traffic by intercepting the 
communication traffic of the detected type (figure 3). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that 
filtering the suspicious packet. One would be motivated to do so to ensure the safety of 
the network. 

98. As to claim 87, Lyle and Smithson teach the product as recited in claim 86, 
wherein the type of the communication traffic that appears to be of the malicious origin 
is characterized by at least one of a communication protocol and a port (col 5, lines 34- 
44; Lyle discloses that the product of managing the exchange of information between 
network elements located at different physical locations via external connections such 
as an Internet connection). 

99. As to claim 88, Lyle and Smithson teach the product as recited in claim 86, 
wherein the instructions cause the computer to determine one or more source 
addresses of the communication traffic that appears to be of the malicious origin, and to 
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intercept the communication traffic sent from the one or more source addresses (col 16, 
lines 44-49; Lyle discloses that the product of tracking the source of an attack to 
determine the point of attack at which it is entering the network or sub-network). 

1 00. As to claim 91 , Lyle and Smithson teach the product as recited in claim 69. But 
Lyle and Smithson failed to teach the claim limitation wherein the instructions cause the 
computer to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area. 

However, Trcka teaches the limitation wherein the instructions cause the 
computer to monitor and filter the communication traffic that is transmitted into a 
protected area of the network containing the group of the addresses so as to exclude 
the communication traffic from the area (figure 5). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Trcka so that 
filtering the suspicious packet, which tries to enter through the protected area. One 
would be motivated to do so to improve the network security. 

101. As to claim 92, Lyle and Smithson teach the product as recited in claim 91 , 
wherein the instructions cause the computer to monitor the communication traffic that is 
transmitted by computers in the protected area so as to detect an infection of one or 
more of the computers by a malicious program (col 10, lines 35-38; Lyle discloses that 
the product of tracking the system interconnect across the network, such as a private 
network which is a protected area). 
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1 02. Claims 1 04, 1 06 & 1 08 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Lyle, Patent No. 6,886,102 B1 in view of Smithson, Patent No. 
6,886,099 B1, and further in view of Bartleson, Patent No. 6,934,857 B1 . 

Lyle teaches the invention substantially as claimed including system and method 
for protecting a computer network against denial of service attacks (see abstract). 

103. As to claim 104, Lyle and Smithson teach the method as recited in claim 1. But 
Lyle failed to teach the claim limitation wherein identifying the subset comprises 
selecting trap addresses that are not used by actual computers for inclusion in the 
subset. 

However, Bartleson teaches security system and method for handheld 
computers (see abstract). Bartleson teaches the limitation wherein identifying the 
subset comprises selecting trap addresses that are not used by actual computers for 
inclusion in the subset (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Bartleson so that 
the patch are loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 

104. As to claim 106, Lyle and Smithson teach the apparatus as recited in claim 35. 
But Lyle failed to teach the claim limitation wherein the subset includes trap addresses 
that are not used by actual computers. 
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However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Bartleson so that 
the patch are loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 

105. As to claim 108, Lyle and Smithson teach the product as recited in claim 69. But 
Lyle failed to teach the claim limitation wherein the subset includes trap addresses that 
are not used by actual computers. 

However, Bartleson teaches the limitation wherein the subset includes trap 
addresses that are not used by actual computers (col 6, lines 44 - col 7, lines 24). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify the combination of Lyle and Smithson in view of Bartleson so that 
the patch are loaded in the operating system when the security system is enabled. One 
would be motivated to do so to created the trap address from the original address to 
replace with the new patch to transferred the information to the trap address once the 
virus or malicious packets got detected. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Saleh Najjar can be reached on 571-272-4006. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
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